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1 EPO 

Description 

BACKGROUND OF THE INVENTION 

The present invention generally relates to trans- 
action authentication systems, and more particularly 
to a transaction authentication system which authen- 
ticates a transaction which uses an integrated circuit 
(IC) card after the transaction is made. 

Presently, transactions using cards are popular 
due to their convenience. But on the other hand, ille- 
gal use of such cards is increasing and it is becoming 
more and more important to authenticate the transac- 
tions. 

Conventionally, when authenticating a transac- 
tion which uses a magnetic stripe card, a verified data 
is generated within a terminal device in conformance 
with a predetermined algorithm and is added to a 
transaction data. The uniqueness of the data is used 
when discriminating whether or not the transaction is 
correctly performed. 

For example, the magnetic stripe card is loaded 
on a point-of-sales (POS) terminal or the like when 
using a credit service. Prior to making a transaction, 
a check is made to prevent illegal use of the magnetic 
stripe card. For example, a persona! identification 
number (PIN) is entered by the user and the POS ter- 
minal discriminates whether or not the entered PIN 
corresponds with a PIN which is prerecorded on the 
magnetic stripe card, and the POS terminal discrim- 
inates whether or not the use of the magnetic stripe 
card on the POS terminal is permitted based on a ter- 
minal confirmation code. After it is discriminated that 
the PIN entered by the user corresponds with the PIN 
prerecorded on the magnetic stripe card and that the 
use of the magnetic stripe card is permitted on the 
POS terminal, the POS terminal adds verified data to 
the transaction data and temporarily stores the data 
on a recording medium. The verified data is generat- 
ed within the POS terminal in conformance with a pre- 
determined algorithm. For example, the recording 
medium is a flexible disc. After the transaction ends, 
a transaction historical information is transferred to a 
host computer within an operation center or the like 
by a batch data transmission. 

The character of the verified data differs from 
that of the PIN in that the user is unaware of the ex- 
istence of the verified data and the verified data is not 
used for prohibiting the transaction. Normally, a 
check is made after the transaction is made to deter- 
mine whether or not the value of the verified data is 
in conformance with the generating algorithm so as to 
discriminate whether or not the transaction made was 
legitimate. 

However, a person who is familiar with the oper- 
ations and functions of the POS terminal may easily 
decode a program for generating the verified data. 
Furthermore, a person who somehow finds out the 
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generating algorithm for generating the verified data 
may easily and freely operate the POS terminal with- 
out using a magnetic stripe card. Such persons can 
make an illegal transaction by fabricating or altering 

5 the transaction data and the verified data. When 
making the illegal transaction, such persons can 
easily make the verified data which is added to the il- 
legal transaction data take a value in conformance 
with the generating algorithm, and in this case, it is im- 

10 possible to find out that an illegal transaction was 
made. An integrated circuit (IC) card also suffers a 
similar problem because the verified data is generat- 
ed and added to the transaction data within the ter- 
minal. 

15 US-A-4 529 870 discloses a transaction authen- 

tication system whose object is to prevent an illegal 
transaction from being made. A card includes en- 
crypted account data, including an account balance, 
which is updated at each transaction performed by in- 

20 setting the card in a terminal. This account data also 
includes "check numbers", which are combined with 
(e.g. decrypted using) a secret owner ID supplied by 
the user, so as to prevent unauthorised use of the 
card. The check numbers may be wholly predeter- 

25 mined and pre-stored on the card in advance. After re- 
ceiving transaction data including a check number as- 
signed to the transaction, the terminal can forward 
the data to a central clearing house for debiting the 
account However, there is no use of historical trans- 

30 action data for authenticating transactions which 
have already taken place. The system relies on en- 
cryption of data on the card and of communication be- 
tween the data and terminal, in order to prevent un- 
authorised access to the data on the card or eaves- 

35 dropping of transmitted data. Thus, illegal transac- 
tions are prevented from being made in the first place. 

EP-A-0 234 954 discloses a self-contained card 
that does not require interaction with a terminal in or- 
der to enter a PIN. The user enters a PIN directly into 

40 the card itself; the card then produces a transaction 
identification code (TIC) which varies for each trans- 
actional use of the card. The TIC can then be verified 
by passing the card through a card reader or the like. 
According to the present invention, there is pro- 

45 vided a transaction authentication system comprising 
terminal means comprising first processing means 
and a card reader/writer; first memory means; and an 
integrated circuit card which is detachably loaded into 
said card reader/writer, said card comprising second 

so processing means and second memory means, 
wherein said terminal means supplies transaction 
data which is related to a transaction and a designat- 
ed storage region in said second memory means for 
storing the transaction data in said card when said 

55 card accesses a service via said terminal means; said 
second processing means of said card writes the 
transaction data received from said terminal means in 
the designated storage region of said second memory 
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means, and also generates verified data which is re- 
newed every time the transaction data is written into 
said second memory, said verif ied data having a val- 
ue in conformance with a predetermined generating 
algorithm, said verified data being stored in said sec- 
ond memory means and also supplied to said terminal 
means; and said first processing means of said termi- 
nal means generates transaction historical informa- 
tion which includes at least the designated storage re- 
gion, the transaction data and the verified data and 
stores the transaction historical information in said 
first memory means, whereby a transaction is au- 
thenticatable by comparing the verified data stored in 
said first memory means (12, 18) and the verified 
data stored in said second memory means, non-cor- 
respondence of the verified data indicating that an il- 
legal transaction has been made. 

Thus, verified data which is unique for each 
transaction is stored within the IC card and is also 
supplied to the terminal means to be stored in the first 
memory means. Hence, it is possible to authenticate 
the transaction by verifying the verified data stored 
within the IC card and the first memory means. The 
verified data cannot be fabricated or altered even by 
a person who is familiar with the programs of the ter- 
minal means, and the reliability of the IC card is great- 
ly improved compared to the conventional case be- 
cause illegal transactions can easily be found. 

Reference is made, by way of example, to the ac- 
companying drawings, in which:- 

Fig. 1 is a system block diagram for explaining an 
operating principle of a transaction authentica- 
tion system according to the present invention; 
Fig. 2 is a system block diagram of a first embodi- 
ment of the Fig. 1 system; 
Fig. 3 is a system block diagram showing an em- 
bodiment of an IC card used in the first embodi- 
ment; 

Figs. 4A and 4B respectively are a perspective 
view and a system block diagram for explaining 
the embodiment of the IC card shown in Fig. 3 in 
more detail; 

Fig. 5 is a system block diagram of an IC card 
used in a second embodiment; 
Figs. 6A, 6B and 6C respectively are flow charts 
for explaining an operation of a central process- 
ing unit of the IC card shown in Fig. 5; and 
Fig. 7 is a side view in cross-section generally 
showing an embodiment of a card reader/writer 
which is used in the second embodiment 

DESCRIPTION OF THE PREFERRED 
EMBODIMENTS 

First, a description will be given of an operating 
principle of a transaction authentication system ac- 
cording to the present invention, by referring to FIG.1 . 
The transaction authentication system generally 



comprises an IC card 1, a terminal 9, and a memory 
device 12. The IC card 1 comprises a processor 2, a 
first memory 3 which prestores a plurality of process- 
ing means (or programs) for operating the processor 

5 2, and a second memory 4 which stores a transaction 
data which is processed by the operation of the proc- 
essor 2. When making a transaction using the IC card 
1, the transaction authentication system starts the 
transaction after authenticating a specific informa- 

10 tion which is stored in the IC card 1 . The second mem- 
ory 4 includes transaction data storage regions 8 
which are respectively designated for each transac- 
tion and storage regions 27 which respectively store 
a transaction execution identifying information for 

15 each transaction in correspondence with a transac- 
tion data storage region 8. The processor 2 includes 
a write means 5 for designating the transaction data 
storage region 8 and for storing a transaction data 
therein, a verified data generating means 6 for gen- 

20 erating a verified data for a transaction based on the 
transaction execution identifying information, and a 
renewing means 7 for renewing the transaction exe- 
cution identifying information within the storage re- 
gion 27 every time the transaction data is received. 

25 The IC card 1 is loaded into the terminal 9 which 
can read and write information with respect to the IC 
card 1 . The terminal 9 comprises a transaction proc- 
essing means 10 for executing a transaction after the 
specific information of the IC card 1 is confirmed, and 

30 a transaction historical information generating means 
11 for generating a transaction historical information 
in which a transaction data is added with a verified 
data which is read from the IC card 1 and an informa- 
tion which designates the transaction data storage re- 

35 gion 8 for each transaction. The memory device 12 
stores the transaction historical information which is 
received from the terminal 9. 

The transaction is made as follows. That is, when 
the IC card 1 is loaded into the terminal 9, the terminal 

40 9 reads a card identification information (for example, 
a card name) from the IC card 1 via a route which is 
not shown in FIG.1 and starts the transaction if the 
PIN can be confirmed. A transaction data which is ob- 
tained by the start of the transaction is output from the 

45 transaction processing means 10. The transaction 
data and an address data which designates a write 
address within the IC card 1 are supplied to the trans- 
action historical information generating means 11 
within the terminal 9 and the write means 5 and the 

50 renewing means 7 within the IC card 1 . 

The write means 5 writes the received transac- 
tion data at a designated address of the transaction 
data storage region 8 of the second memory 4. The 
renewing means 7 reads the transaction execution 

55 identifying information from an address of the stor- 
age region 27 set depending on the designated ad- 
dress, and renews the value of the transaction exe- 
cution identifying information for every transaction. 
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The renewed transaction execution identifying infor- 
mation is written into the storage region 27 and the re- 
newing means 7 supplies to the verified data gener- 
ating means 6 an information which designates the 
region into which the renewed transaction execution 
identifying information is written. 

The verified data generating means 6 uses the in- 
formation which is received from the renewing means 
7 to read out the renewed transaction execution iden- 
tifying information from the storage region 27 and to 
generate the verified data. This verified data is sup- 
plied to the transaction historical information generat- 
ing means 11 within the terminal 9. 

The transaction historical information generating 
means 11 receives the verified data, the transaction 
data from the transaction processing means 10 and 
the information for designating the region within the 
IC card 1. The transaction historical information gen- 
erating means 11 generates a transaction historical 
information which includes at least these three kinds 
of data and supplies the transaction historical infor- 
mation to the memory device 12. 

Accordingly, when the transaction historical in- 
formation is generated within the terminal 9 without 
the use of the IC card 1 , the value of the verified data 
of the IC card 1 is no longer in conformance with the 
generating algorithm. Even when the transaction is 
made, the value of the verified data included in the 
transaction historical information which is stored in 
the memory device 12 after the transaction is differ- 
ent from the value of the verified data which is gen- 
erated from the transaction execution identifying in- 
formation which is renewed for every transaction and 
is stored in the second memory 4 of the IC card 1 . 

Next, a description will be given of a first embodi- 
ment of the transaction authentication system ac- 
cording to the present invention, by referring to FIG.2. 
In FIG.2, those parts which are basically the same as 
those corresponding parts in FIG.1 are designated by 
the same reference numerals, and a description 
thereof will be omitted. In FIG.2, a POS terminal 20 
corresponds to the terminal 9 shown in FIG.1 , and an 
IC card 21 corresponds to the IC card 1 shown in 
FIG.1. 

FIG.3 shows an embodiment of the IC card 21. In 
FIG.3, those parts which are basically the same as 
those corresponding parts in FIG.1 are designated by 
the same reference numerals, and a description 
thereof will be omitted. The processor 2 of the IC card 
21 comprises the first memory 3, the second memory 
4, the write means 5, an adder means 24, a serial 
number generating means 25 and a serial number in- 
forming means 26. The adder means 24, the serial 
number generating means 25 and the serial number 
informing means 26 correspond to the verified data 
generating means 6 and the renewing means 7. 

When the IC card 21 receives a write command 
from the POS terminal 20 and the transaction data 



which is included within the parameter of the write 
command as the write data, the write means 5 of the 
processor 2 stores the transaction data into the trans- 
action data storage region 8 of the second memory 4. 

5 On the other hand , when storing the transaction data, 
the adder means 24 adds a constant value to an initial 
value and the added value (serial number) is stored 
in the storage region 27 of the second memory as the 
transaction execution identifying information. The 

10 added value is thereafter supplied to the serial num- 
ber generating means 25. 

The serial number generating means 25 gener- 
ates a serial number as the verified data. In this case, 
the serial number generating means 25 outputs the 

15 transaction execution identifying information (added 
value which is a serial number) as it is. The transac- 
tion execution identifying information (serial number) 
becomes "0" when forming the transaction data stor- 
age region 8 and is thereafter incremented by one, for 

20 example, every time the transaction data is written. 
Hence, the transaction execution identifying informa- 
tion is for example a serial number x 1t x 2 , ... . 

The serial number is returned to the POS termi- 
nal 20 via the serial number informing means 26. 

25 The hardware structure of the IC card 21 itself is 
known. FIGS.4A and 4B respectively are a perspec- 
tive view and a system block diagram for explaining 
the IC card 21 shown in FIG.3 in more detail. The IC 
card 21 shown in FIGS.4Aand 4B comprises a central 

30 processing unit (CPU) 30 which corresponds to the 
processor 2, a read only memory (ROM) 31 which 
corresponds to the first memory 3, an electrically 
erasable programmable ROM (EEPROM) 32 which 
corresponds to the second memory 4, and contacts 

35 33 for signal input/output. 

The CPU 30, the ROM 31 and the EEPROM 32 
which are made up of semiconductor elements have 
extremely small sizes and is capable of making com- 
plex signal processings and providing large memory 

40 capacities. For this reason, unlike the magnetic stripe 
card which is limited to a single function, the IC card 
21 can be used to receive a plurality of services with 
the same card. For example, the services may in- 
clude a credit service, deposits and savings services, 

45 a hospital service, various private club services and 
the like. In addition, even when the IC card 21 is used 
to receive only the credit service, for example, the 
same card may be used for transactions with a plur- 
ality of stores and offices, accounts provided inde- 

50 pendently for each of the stores and offices, accounts 
in a plurality of banks and the like. 

The IC card 21 is loaded into a card reader/writer 
(not shown) which is connected to the POS terminal 
20. The card reader/writer reads from the IC card 21 

55 the card identification information which identifies 
the IC card 21 , and supplies the card identification in- 
formation to a host computer (not shown). The host 
computer returns to the POS terminal a region desig- 
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nating information and the like for 20 designating a 
transaction data storage region 8 within the IC card 
21. 

Prior to making the transaction using the IC card 
21, a check is made to prevent illegal use of the IC 5 
card 21. For example, a personal identification num- 
ber (PIN) is entered by the user and the POS terminal 
20 discriminates whether or not the entered PIN cor- 
responds with a PIN which is prerecorded on the IC 
card 21, and the POS terminal 20 discriminates 10 
whether or not the use of the IC card 21 on the POS 
terminal 20 is permitted based on a terminal confir- 
mation code. 

Next, a description will be given of an operation 
of the first embodiment by referring to FIG.2. When 15 
the user uses the IC card 21 and purchases an item 
having a price of 200 dollars, for example, the opera- 
tor of the POS terminal 20 loads the IC card 21 into 
the card reader/writer of the POS terminal 20 and en- 
ters the transaction sum of 200 dollars into the POS 20 
terminal 20. In this case, the transaction processing 
means 10 of the POS terminal 20 outputs a transac- 
tion sum data of 200 dollars and a transaction date 
data which includes the year, month and date of the 
transaction. The transaction processing means 10 25 
further designates the storage region (area) where 
the transaction sum data and the transaction date 
data are to be stored. Based on the data received 
from the transaction processing means 10, the write 
means 5 of the IC card 21 writes the transaction data 30 
(transaction sum data and transaction date data) in a 
designated area Aof the second memory 4. Then, the 
serial number generating means 25 of the IC card 21 
generates the serial number. This serial number is 
stored in an internal memory and is supplied to the 35 
POS terminal 20. 

The transaction historical information generating 
means 1 1 of the POS terminal 20 adds the serial num- 
ber which is received from the IC card 21 to the trans- 
action data (transaction sum data and transaction 40 
date data), the card identification information (for ex- 
ample, a card ID "CARD001") of the IC card 21, and 
the region designating information (area A in this 
case), so as to generate a unique transaction histor- 
ical information among the plurality of IC cards, a plur- 45 
ality of POS terminals and a plurality of transaction 
data. The transaction historical information is written 
into the memory device 1 2 via a storing means 14. Af- 
ter the transaction ends, the transaction historical in- 
formation is written into a memory device 18 within a so 
host terminal 22 via communication means 1 5 and 16 
and a storing means 17 by a batch data transmission. 

The transaction is completed in the above descri- 
bed manner. When the transaction is legitimate, the 
serial numbers within the transaction historical infor- 55 
mation stored in the memory devices 12 and 18 
change regularly in conformance with the generating 
algorithm. Hence, it is possible to authenticate the 



transaction by checking the change in the values of 
the serial numbers. When the transaction is legiti- 
mate, the serial number stored in the IC card 21 con- 
stantly corresponds with the serial number of the last 
transaction stored in the memory devices 12 and 18. 

For example, the transaction historical informa- 
tion received from the POS terminal 20 may have 
been generated by an illegal user who not only knows 
the PIN but also knows the generating algorithm for 
the serial number. Such an illegal user can operate 
the POS terminal 20 and generate the transaction 
historical information without actually using the IC 
card 21. In this case, it is impossible to prohibit the il- 
legal transaction itself, however, the serial numbers 
stored in the memory devices 12 and 18 after the 
transaction is made become different from the serial 
number stored in the IC card 21. Therefore, it is pos- 
sible to find out that the illegal transaction has been 
made by verifying the serial number stored in the IC 
card 21 and the serial numbers stored in the memory 
devices 1 2 and 1 8, since the stored serial numbers do 
not correspond in the case of the illegal transaction. 

In the first embodiment, the serial number is used 
as the verified data. However, it is possible to use a 
function as the verified data. In this case, the trans- 
action execution identifying information x is taken as 
an argument and the verified data generating means 
6 generates a function F(x). For example, the trans- 
action execution identifying information x has an ini- 
tial value Xq and is renewed for every transaction such 
that the transaction execution identifying information 
x has a value x k when a kth transaction is made. 

The function generated by the verified data gen- 
erating means 6 need not necessarily be a single ar- 
gument function and may be a multiple argument 
function. In the case of the multiple argument func- 
tion, n arguments (x 1f x 2 , x 3 , .... xj are renewed for 
every transaction. 

The transaction execution identifying informa- 
tion for example has the initial value Xo and values x 1? 
x 2 , x 3 , xk which are calculated for every transac- 
tion. All of these values of the transaction execution 
identifying information may be stored in the storage 
region 27 of the second memory 4. As an alternative, 
it is also possible to store only the final value of the 
transaction execution identifying information in the 
storage region 27 of the second memory 4. 

Next, a description will be given of a second em- 
bodiment of the transaction authentication system 
according to the present invention. FIG.5 shows an 
embodiment of the IC card used in the second em- 
bodiment of the transaction authentication system 
according to the present invention. In FIG.5, an IC 
card 51 comprises a terminal group 52, an input/out- 
put interface 53, a CPU 54, drivers 55, 56 and 57, a 
random access memory (RAM) 58, a ROM 59, an EE- 
PROM 60, and a system bus 61. 

The terminal group 52 comprises a power source 
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terminal Vcc for receiving a power source voltage, a 
ground terminal GND for receiving a ground voltage, 
a reset terminal RST for receiving a reset signal, a 
programming terminal Vpp for receiving a program- 
ming voltage, a clock terminal CLK for receiving a 5 
clock signal, and an input/output terminal I/O for in- 
putting and outputting serial data. The terminals of 
the terminal group 52 other than the input/output ter- 
minal I/O are connected to the CPU 54. The input/out- 
put terminal is connected to the input/output interface 10 
53. 

The input/output interface 53 converts a serial in- 
put data into a parallel input data. When a predeter- 
mined number of bits of data (for example, four to 
eight bits of data) is received, the input/output inter- 15 
face 53 interrupts the CPU 54 by sending an interrupt 
signal. On the other hand, when sending a data from 
the IC card 51 to a terminal (not shown), the data is 
output serially from the input/output interface 53 via 
the input/output terminal I/O of the terminal group 52. 20 
When outputting the data from the IC card 51, the 
CPU 54 sets a parallel data (for example, eight bits) 
in the input/output interface 53 and the set data is au- 
tomatically output via the input/output terminal I/O 
with a timing determined by the clock signal received 25 
from the clock terminal CLK. 

The drivers 55, 56 and 57 respectively drive the 
RAM 58, the ROM 59 and the EEPROM 60. The in- 
put/output interface 53, the CPU 54, the drivers 55 
through 57, the RAM 58, the ROM 59 and the EE- 30 
PROM 60 are coupled by the system bus 61 . The sys- 
tem bus 61 is made up of an address bus 61a, a data 
bus 61b, and an input/output control bus 61c. For ex- 
ample, the address bus 61a and the data bus 61b re- 
spectively are 8-bit buses. The input/output control 35 
bus 61c is used for transmitting the clock signal, the 
ground voltage, the power source voltage, the inter- 
rupt signal and the like. 

The RAM 58 is used as a work area for the CPU 
54 when making calculations and the like during the 40 
transaction. The ROM 59 stores programs of the CPU 
54 and corresponds to the ROM 31 shown in FIGS.4A 
and 48. The EEPROM 60 stores the account number, 
PIN, balance of the account, transaction history, final 
transaction information, transaction historical infor- 45 
mation and the like and corresponds to the EEPROM 
32 shown in FIGS.4A and 4B. 

The IC card 51 is used on a terminal such as the 
POS terminal 20 described before in conjunction with 
the first embodiment 50 

FIGS.6A, 6B and 6C respectively are flow charts 
for explaining an operation of the CPU 54 of the IC 
card 51 shown in FIG.5. In FIG.6A, when an internal 
process of the IC card 51 is started and a card ID re- 
quest is received, a step S1 reads the card I D from the 55 
EEPROM 60. The read card ID is supplied to the ter- 
minal and a desired service is selected from the ter- 
minal. Astep S2 reads a service name of the selected 



service from the ROM 59. A step S3 discriminates 
whether or not the service name is found in the ROM 
59. When the discrimination result in the step S3 is 
NO, a selection error information is supplied to the 
terminal. But when the discrimination result in the 
step S3 is YES, a step S4 requests authentication to 
the terminal. The terminal then supplies an authenti- 
cate code or key (PIN) which is necessary to make the 
selection, and a step S5 develops the authenticate 
code which corresponds to the selected service from 
the EEPROM 60 to the RAM 58. A step S6 develops 
an error number counter in the RAM 58. 

A step S7 discriminates whether or not the au- 
thenticate code which is received from the terminal 
corresponds with the authenticate code which is de- 
veloped in the RAM 58. When the discrimination re- 
sult in the step S7 is YES, a step S8 clears the error 
number counter and stores the authenticate code in 
the EEPROM 60. Astep S9 stores in the EEPROM 60 
an information which indicates that the authentication 
is ended, and the authentication end information is 
supplied to the terminal and the process advances to 
a step S21 shown in FIG.6B. 

On the other hand, when the discrimination result 
in the step S7 is NO, a step S 1 0 increments the count- 
ed value in the error number counter and stores the 
incremented value in the EEPROM 60. Astep S11 dis- 
criminates whether or not the counted value in the er- 
ror number counter is greater than a predetermined 
number. When the discrimination result in the step 
S11 is NO, a legitimacy error information is supplied 
to the terminal. But when the discrimination result in 
the step S11 is YES, a step S12 sets a lock flag within 
the EEPROM 60 to an ON state and a locked state in- 
formation is supplied to the terminal. When the lock 
flag is ON, the IC card 51 is made unusable for the 
selected service, and a locked state information is 
supplied to the terminal. In other words, the lock flag 
indicates whether or not the selected service is ac- 
cessible by the IC card 51. 

As described before, the IC card 51 may be used 
to receive various services. Hence, it is inconvenient 
if the IC card 51 were made unusable for all the ser- 
vices even when only predetermined one or more ser- 
vices should actually be made non-accessible. 
Therefore, in actual practice, the error number coun- 
ter is provided for each service and the predeter- 
mined number used for the comparison in the step 
S11 is set for each service. In other words, a lock flag 
is provided for each service accessible by the IC card 
51. For the sake of convenience, a description will 
hereunder be given of a case where only one lockf lag 
is provided. 

In FIG.6B, a transaction information write com- 
mand including a transaction information and a write 
position within the IC card 51 is received from the ter- 
minal. Astep S21 reads an authentication completion 
information, and a step S22 reads the lock flag. Astep 
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S23 discriminates whether or not the lock flag is ON. 
When the discrimination result in the step S23 is YES, 
a locked state information is supplied to the terminal. 
On the other hand, when the discrimination result in 
the step S23 is NO, a step S24 discriminates whether 5 
or not the authentication is ended. When the discrim- 
ination result in the step S24 is NO, an authentication 
error information is supplied to the terminal. When the 
discrimination result in the step S24 is YES, a step 
S25 develops the access qualification information of 10 
the user in accordance with the authentication infor- 
mation from the EEPROM 60 to the RAM 58. 

A step S26 discriminates whether or not the user 
has a right to write information. When the discrimina- 
tion result in the step S26 is NO, an access qualif ica- 15 
tion error information is supplied to the terminal. But 
when the discrimination result in the step S26 is YES, 
a step S27 transfers the necessary information from 
the EEPROM 60 to the RAM 58 and a step S28 dis- 
criminates whether or not a designated write position 20 
exists. When the discrimination result in the step S28 
is NO, a designation error information is supplied to 
the terminal. On the other hand, when the discrimin- 
ation result in the step S28 is YES, a step S29 writes 
the data at the designated write position within the 25 
RAM 58. A step S30 develops the transaction serial 
number from the EEPROM 60 to the RAM 58, and a 
step S31 increments the transaction serial number in 
the RAM 58. The process then advances to a step 

541 shown in FIG.6C. 30 
In FIG.6C, the step S41 by calculation generates 

the verified data in conformance with a generating al- 
gorithm based on unique numbers such as the trans- 
action serial number and the transaction date. A step 

542 stores the verified data in the RAM 58. Astep S43 35 
discriminates whether or not all of the processes are 
correctly ended. When the discrimination result in the 
step S43 is NO, a write error information is supplied 

to the terminal. On the other hand, when the discrim- 
ination result in the step S43 is YES, a step S44 stores 40 
the write information, the verified data and the trans- 
action serial number in the EEPROM 60. Astep S45 
discriminates whether or not the data are correctly 
stored in the EEPROM 60 in the step S44. When the 
discrimination result in the step S45 is NO, a memory 45 
error information is supplied to the terminal. When the 
discrimination result in the step S45 is YES, a step 
S46 assembles the transmitting data and an end in- 
formation including a normal end information and the 
verified data is supplied to the terminal. When a 50 
transaction end information is received from the ter- 
minal, a step S47 ends the process by releasing the 
RAM 58 and the process is ended. 

FIG.7 generally shows an embodiment of a card 
reader/writer which is used in the second embodi- 55 
ment. Of course a similar card reader/writer may be 
used in the first embodiment In FIG.7, a card read- 
er/writer 70 generally comprises a card inserting 



opening 71, a magnetic head 72, a timing belt 73, a 
card transport path 74, a contact part 75, a motor 76, 
a roller 77, a printed circuit 78 which has the CPU 54, 
the ROM 59 and the like arranged thereon, and a cov- 
er 79 which is indicated by a phantom line. 

When the IC card 51 is inserted into the card in- 
serting opening 71, the IC card 51 is transported 
along the card transport path 74 by a transport mech- 
anism to a loaded position where contacts of the con- 
tact part 75 make contact with the corresponding ter- 
minals of the terminal group 52 of the IC card 51 . The 
transport mechanism includes the motor 76 which ro- 
tates the roller 77 so as to drive the timing belt 73. 

In this embodiment, the magnetic head 72 is pro- 
vided to read a magnetic stripe of the IC card 51 . The 
provision of the magnetic head 72 enables the card 
reader/writer 70 to read the magnetic stripes of both 
the IC card 51 and the conventional magnetic. In 
other words, there is card interchangeably among 
the IC cards and the magnetic stripe cards. However, 
it is not essential to provide the magnetic head 72 on 
the card reader/writer 70. In addition, the card read- 
er/writer 70 may be a part of the terminal or be a unit 
independent of the terminal. 

Further, the present invention is not limited to 
these embodiments, but various variations and mod- 
ifications may be made without departing from the 
scope of the present invention as defined in the 
claims. 



Claims 

1. A transaction authentication system comprising 
terminal means (9, 20) comprising first process- 
ing means (10, 11) and a card reader/writer (70); 
first memory means (12, 18); and an integrated 
circuit card (1 , 21 , 51) which is detachably loaded 
into said card reader/writer, said card comprising 
second processing means (2, 30, 54) and second 
memory means (3, 4, 31 , 32, 58, 59, 60); wherein 
said terminal means (9, 20) supplies transaction 
data which is related to a transaction and a des- 
ignated storage region in said second memory 
means (3, 4, 31, 32, 58, 59, 60) for storing the 
transaction data in said card (1,21, 51) when said 
card accesses a service via said terminal means; 
said second processing means (2, 30, 54) of said 
card writes the transaction data received from 
said terminal means in the designated storage re- 
gion of said second memory means, and also 
generates verified data which is renewed every 
time the transaction data is written into said sec- 
ond memory, said verified data having a value in 
conformance with a predetermined generating al- 
gorithm, said verified data being stored in said 
second memory means and also supplied to said 
terminal means; and said first processing means 
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(10, 11) of said terminal means generates trans- 
action historical information which includes at 
least the designated storage region, the transac- 
tion data and the verified data and stores the 
transaction historical information in said first 
memory means, whereby a transaction is au- 
thenticatable by comparing the verified data stor- 
ed in said first memory means (12, 18) and the 
verified data stored in said second memory 
means, non-correspondence of the verified data 
indicating that an illegal transaction has been 
made. 

2. The transaction authentication system as 
claimed in claim 1, characterized in that said first 
memory means (12) is connected to said terminal 
means (9, 20) and is provided exclusively for said 
terminal means. 

3. The transaction authentication system as 
claimed in claim 1, characterized in that said first 
memory means (18) is coupled to said terminal 
means (9, 20) via communication means (1 5, 1 6). 

4. The transaction authentication system as 
claimed in any of claims 1 to 3, characterized in 
that said terminal means (9, 20) is constituted by 
a point-of-sales terminal (20). 

5. The transaction authentication system as 
claimed in any of claims 1 to 4, characterized in 
that said integrated circuit card (1, 21, 51) further 
comprises a terminal group (33, 52) which is cou- 
pled to said second processing means (30, 54), 
said card reader/writer (70) of said terminal 
means (9, 20) reading/writing serial data with re- 
spect to said integrated circuit card via said ter- 
minal group. 

6. The transaction authentication system as 
claimed in any of claims 1 to 5, characterized in 
that said second processing means (30, 54) of 
said integrated circuit card (1, 21, 51) generates 
a serial number as the verified data. 

7. The transaction authentication system as 
claimed in any of claims 1 to 5, characterized in 
that said second processing means (30, 54) of 
said integrated circuit card (1, 21, 51) generates 
an n-argument function as the verified data, 
where n = 1, 2 

8. The transaction authentication system as 
claimed in any of claims 1 to 5, characterized in 
that said second processing means (30, 54) of 
said integrated circuit card (1, 21, 51) generates 
as the verified data a value which is unique for 
each transaction. 



9. The transaction authentication system as 
claimed in any of claims 1 to 8, characterized in 
that said second processing means (30, 54) of 
said integrated circuit card (1, 21, 51) stores in 

5 said second memory means (3, 4, 31 , 32, 58, 59, 

60) only a verified data which is generated with 
respect to a last transaction. 

10. The transaction authentication system as 
10 claimed in any of claims 1 to 9, characterized in 

that said second memory means (3, 4, 31 , 32, 58, 
59, 60) comprises a first memory (31 , 59) for stor- 
ing programs for carrying out processes on said 
second processing means (30, 54) and a second 
15 memory (32, 60) for storing data. 

11. The transaction authentication system as 
claimed in claim 10, characterized in that said 
first memory (31 , 59) is constituted by a read only 

20 memory and said second memory (32, 60) is con- 
stituted by an electrically erasable programma- 
ble read only memory. 

12. The transaction authentication system as 
25 claimed in claim 10, characterized in that said 

second memory means (3, 4, 31, 32, 58, 59, 60) 
further comprises a third memory (58) for provid- 
ing a work area for said second processing 
means (30, 54). 

30 

13. The transaction authentication system as 
claimed in claim 12, characterized in that said 
third memory (58) is constituted by a random ac- 
cess memory. 

35 

14. The transaction authentication system as 
claimed in any of claims 1 to 13, characterized in 
that said second processing means (30, 54) in- 
cludes means for setting a lock flag when an au- 

40 thenticate code which is received from said ter- 
minal means (9, 20) and corresponds to a select- 
ed service differs from an authenticate code stor- 
ed in said second memory means (3, 4, 31, 32, 
58, 59, 60) a predetermined number of times, 

45 said first lock flag which is set indicating that the 
selected service is non-accessible. 

15. The transaction authentication system as 
claimed in claim 14, characterized in that said 

so lock flag is set independently for each service. 

16. The transaction authentication system as 
claimed in any of claims 1 to 15, characterized in 
that said second processing means (30, 54) conrv 

55 prises write means (5) for writing the transaction 

data which is received from said terminal means 
(9, 20) into the designated storage region of said 
second memory means (3, 4, 31, 32, 58, 59, 60), 
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renewing means (7) for renewing a transaction 
execution identifying information which is stored 
in said second memory means every time the 
transaction data is received from said terminal 
means, and verified data generating means (6) 
for generating the verified data based on the 
transaction execution identifying information 
read from said second memory means. 

17. The transaction authentication system as 
claimed in ciaim 16, characterized in that said 
verified data generating means (6) supplies the 
transaction execution identifying information 
which is read from said second memory means 
(3, 4, 31, 32, 58, 59, 60) as it is to said terminal 
means (9, 20) as the verified data. 

18. The transaction authentication system as 
claimed in any of claims 1 to 17, characterized in 
that said second memory means (3, 4, 31 , 32, 58, 
59, 60) stores a card identification information, 
said second processing means (30, 54) of said in- 
tegrated circuit card (1, 21, 51) supplies the card 
identification which is read from said second 
memory means together with the verified data, 
and said first processing means (10, 11) of said 
terminal means (9, 20) generates the transaction 
historical information which also includes the 
card identification information. 



Patentanspruche 

1. Ein Transaktionsauthentisierungssystem mit ei- 
nem Terminalmittel (9, 20), das erste Verarbei- 
tungsmittel (10, 11) und einen Kartenleser/- 
schreiber (70) umfaBt; ersten Speichermitteln 
(12, 18); und einer Karte mit integrierter Schal- 
tung (1, 21, 51), die in den genannten Kartenle- 
ser/schreiber herausnehmbar geladen wird, wel- 
che Karte ein zweites Verarbeitungsmittel (2, 30, 
54) und zweite Speichermittel (3, 4, 31, 32, 58, 
59, 60) umfaSt; bei dem das genannte Terminal- 
mittel (9, 20) Transaktionsdaten liefert, die sich 
auf eine Transaktion und eine bezeichnete Spei- 
cherzone in den genannten zweiten Speichermit- 
teln (3, 4, 31, 32, 58, 59, 60) zum Speichern der 
Transaktionsdaten in der genannten Karte (1 , 21 , 
51) beziehen, wenn die genannte Karte uber das 
genannte Terminalmittel auf einen Dienst zu- 
greift; das genannte zweite Verarbeitungsmittel 
(2, 30, 54) der genannten Karte die Transaktions- 
daten, die von dem genannten Terminalmittel 
empfangen wurden, in die bezeichnete Speicher- 
zone der genannten zweiten Speichermittel 
schreibt und auch verif izierte Daten erzeugt, die 
jedes Mai, wenn die Transaktionsdaten in den ge- 
nannten zweiten Speicher geschrieben werden, 



erneuert werden, welche verif izierten Daten ei- 
nen Wert gemaS einem vorbestimmten Erzeu- 
gungsalgorithmus haben, welche verifizierten 
Daten in den genannten zweiten Speichermitteln 

5 gespeichert werden und auch dem genannten 

Terminalmittel zugefuhrt werden; und die ge- 
nannten ersten Verarbeitungsmittel (10, 11) des 
genannten Terminalmittels Transaktionsver- 
laufsinformationen erzeugen, die wenigstens die 

10 bezeichnete Speicherzone, die Transaktionsda- 
ten und die verifizierten Daten enthalten, und die 
Transaktionsverlaufsinformationen in den ge- 
nannten ersten Speichermitteln speichern, wo- 
durch eine Transaktion authentisierbar ist, indem 

15 die verifizierten Daten, die in den genannten er- 
sten Speichermitteln (12, 18) gespeichert sind, 
und die verifizierten Daten, die in den genannten 
zweiten Speichermitteln gespeichert sind, vergli- 
chen werden, wobei ein Nichtubereinstimmen 

20 der verifizierten Daten anzeigt, dad eine illegale 
Transaktion vorgenommen worden ist. 

2. Das Transaktionsauthentisierungssystem nach 
Anspruch 1, dadurch gekennzeichnet, dad das 
25 genannte erste Speichermittel (12) mit dem ge- 
nannten Terminalmittel (9, 20) verbunden ist und 
ausschlie&Jich fur das genannte Terminalmittel 
vorgesehen ist. 

30 3. Das Transaktionsauthentisierungssystem nach 
Anspruch 1, dadurch gekennzeichnet, dafc das 
genannte erste Speichermittel (18) mit dem ge- 
nannten Speichermittel (9, 20) uberKommunika- 
tionsmittel (15, 16) gekoppelt ist. 

35 

4. Das Transaktionsauthentisierungssystem nach 
irgendeinem der Anspruche 1 bis 3, dadurch ge- 
kennzeichnet, dad das genannte Terminalmittel 
(9, 20) durch ein Kassenterminal (20) gebildet ist 

40 

5. Das Transaktionsauthentisierungssystem nach 
irgendeinem der Anspruche 1 bis 4, dadurch ge- 
kennzeichnet, da& die genannte Karte mit inte- 
grierter Schaltung (1, 21, 51) ferner eine An- 

45 schlu&gruppe (33, 52) umfa&t, die mit dem ge- 
nannten zweiten Verarbeitungsmittel (30, 54) ge- 
koppelt ist, bei dem der genannte Kartenleser/- 
schreiber (70) des genannten Terminalmittels (9, 
20) serielle Daten bezuglich der genannten Karte 

so mit integrierter Schaltung uber die genannte An- 
schlu&gruppe liest/schreibt 

6. Das Transaktionsauthentisierungssystem nach 
irgendeinem der Anspruche 1 bis 5, dadurch ge- 

55 kennzeichnet, dak das genannte zweite Verar- 
beitungsmittel (30, 54) der genannten Karte mit 
integrierter Schaltung (1, 21, 51) als verifizierte 
Daten eine laufende Nummer erzeugt. 
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7. Das Transaktionsauthentisierungssystem nach 
irgendeinem der Anspruche 1 bis 5, dadurch ge- 
kennzeichnet, daft das genannte zweite Verar- 
beitungsmittel (30, 54) der genannten Karte mit 
integrierter Schaltung (1, 21, 51) als verifizierte 5 
Daten eine n-Argumentenfunktion erzeugt, wo- 
bein = 1,2, ... isL 

8. Das Transaktionsauthentisierungssystem nach 
irgendeinem der Anspruche 1 bis 5, dadurch ge- 10 
kennzeichnet, da& das genannte zweite Verar- 
beitungsmittel (30, 54) der genannten Karte mit 
integrierter Schaltung (1, 21, 51) als verifizierte 
Daten einen Wert erzeugt, der fur jede Transak- 

tion eindeutig ist. 15 

9. Das Transaktionsauthentisierungssystem nach 
irgendeinem der Anspruche 1 bis 8, dadurch ge- 
kennzeichnet, dafc das genannte zweite Verar- 
beitungsmittel (30, 54) der genannten Karte mit 20 
integrierter Schaltung (1, 21, 51) in den genann- 
ten zweiten Speichermitteln (3, 4, 31 , 32, 58, 59, 

60) nur verifizierte Daten speichert, die bezuglich 
einer letzten Transaktion erzeugt wurden. 

25 

10. Das Transaktionsauthentisierungssystem nach 
irgendeinem der Anspruche 1 bis 9, dadurch ge- 
kennzeichnet, dad die genannten zweiten Spei- 
chermittel (3, 4, 31, 32, 58, 59, 60) einen ersten 
Speicher (31, 59) zum Speichern von Program- 30 
men zum Ausfuhren von Verfahren bei dem ge- 
nannten zweiten Verarbeitungsmittel (30, 54) 

und einen zweiten Speicher (32, 60) zum Spei- 
chern von Daten umfassen. 

35 

11. Das Transaktionsauthentisierungssystem nach 
Anspruch 10, dadurch gekennzeichnet, da& der 
genannte erste Speicher (31, 59) durch einen 
Nur-Lese-Speicher gebildet ist und der genannte 
zweite Speicher (32, 60) durch einen elektrisch 40 
loschbaren programmierbaren Nur-Lese-Spei- 
cher gebildet ist. 

12. Das Transaktionsauthentisierungssystem nach 
Anspruch 10, dadurch gekennzeichnet, daft die 45 
genannten zweiten Speichermittel (3, 4, 31, 32, 

58, 59, 60) ferner einen dritten Speicher (58) zum 
Vorsehen eines Arbeits bereichs fur das genannte 
zweite Verarbeitungsmittel (30, 54) umfassen. 

50 

13. Das Transaktionsauthentisierungssystem nach 
Anspruch 12, dadurch gekennzeichnet, dafc der 
genannte dritte Speicher (58) durch einen Spei- 
cher mit wahlf reiem Zugriff gebildet ist 

55 

14. Das Transaktionsauthentisierungssystem nach 
irgendeinem der Anspruche 1 bis 13, dadurch ge- 
kennzeichnet, dad das genannte zweite Verar- 



beitungsmittel (30, 54) ein Mittel enthalt, zum 
Setzen eines Verriegelungsflags, wenn sich ein 
Authentisierungskode, der von dem genannten 
Terminalmittel (9, 20) empfangen wird und einem 
ausgewahlten Dienst entspricht, von einem Au- 
thentisierungskode, der in den genannten zwei- 
ten Speichermitteln (3, 4, 31, 32, 58, 59, 60) ge- 
speichert ist, vorbestimmte Male unterscheidet, 
welches erste Verriegelungsf lag, das gesetzt ist, 
anzeigt, daft der ausgewahlte Dienst nicht zu- 
ganglich ist. 

15. Das Transaktionsauthentisierungssystem nach 
Anspruch 14, dadurch gekennzeichnet, daft das 
genannte Verriegelungsflag fur jeden Dienst un- 
abhangig gesetzt wird. 

16. Das Transaktionsauthentisierungssystem nach 
irgendeinem der Anspruche 1 bis 15, dadurch ge- 
kennzeichnet, daft das genannte zweite Verar- 
beitungsmittel (30, 54) ein Schreibmittei (5) um- 
fa&t, zum Schreiben von Transaktionsdaten, die 
von dem genannten Terminalmittel (9, 20) emp- 
fangen wurden, in die bezeichnete Speicherzone 
der genannten zweiten Speichermittel (3, 4, 31, 32, 
58, 59, 60), ein Erneuerungsmittel (7) zum Erneuern 
von Transaktionsausfuhrungskenninfbrmationen, 
die in den genannten zweiten Speichermitteln ge- 
speichert sind, jedes Mai, wenn die Transaktions- 
daten von dem genannten Terminalmittel emp- 
fangen werden, und ein Erzeugungsmittel von ve- 
rifizierten Daten (6) zum Erzeugen der verifizierten 
Daten auf der Grundlage von Transaktions- aus- 
fuhrungskenninformationen, die aus den ge- 
nannten zweiten Speichermitteln gelesen wur- 
den. 

17. Das Transaktionsauthentisierungssystem nach An- 
spruch 16, dadurch gekennzeichnet, dafc das ge- 
nannte ErzeugungsmittBl von verifizierten Daten (6) 
dieTransaktionsausfuhrungskenninformationen, 
die aus den genannten zweiten Speichermitteln 
(3, 4, 31, 32, 58, 59, 60) gelesen wurden, dem ge- 
nannten Terminalmittel (9, 20) als verifizierte Da- 
ten zuf uhrt wie sie sind. 

18. Das Transaktionsauthentisierungssystem nach 
irgendeinem der Anspruche 1 bis 17, dadurch ge- 
kennzeichnet, dad die genannten zweiten Spei- 
chermittel (3, 4, 31, 32, 58, 59, 60) Kartenkenn- 
informationen speichern, das genannte zweite 
Verarbeitungsmittel (30, 54) dergenannten Karte 
mit integrierter Schaltung (1, 21, 51) das Karten- 
kennzeichen, das aus den genannten zweiten 
Speichermitteln gelesen wurde, zusammen mit 
den verifizierten Daten liefert, und die genannten 
ersten Verarbeitungsmittel (10, 11) des genann- 
ten Terminalmittels (9, 20) die Transaktionsver- 



15 



20 



25 



30 



35 



10 



19 



EP 0 363 122 B1 



20 



laufsinformationen erzeugen, die auch die 
Kartenkenninformationen enthalten. 



Revendications 

1. Systeme d'authentification de transaction, 
comprenant des moyens formant terminal (9, 20) 
comprenant des premiers moyens de traitement 
(10, 11) et un lecteur/enregistreur de cartes (70), 
des premiers moyens formant memoire (12, 18); 
et une carte a circuit integre (1,21,51) qui est in- 
troduce de facon detachable dans ledit lec- 
teur/enregistreur de cartes, ladite carte compre- 
nant des deuxiemes moyens de traitement (2, 30, 
54) et des deuxiemes moyens formant memoire 
(3, 4, 31, 32, 58, 59, 60); dans lequei lesdits 
moyens formant terminal (9, 20) fournissent des 
donnees de transaction qui sont relatives a une 
transaction et a une zone de memorisation desi- 
gnee dans lesdits deuxiemes moyens formant 
memoire (3, 4, 31, 32, 58, 59, 60) pourmemoriser 
les donnees de la transaction sur ladite carte (1, 
21, 51) lorsque ladite carte accede a un service 
parl'intermediaire desdits moyens formant termi- 
nal; lesdits deuxiemes moyens de traitement (2, 
30, 54) de ladite carte ecrivent les donnees de la 
transaction recues desdits moyens formant ter- 
minal dans la zone de memorisation designee 
desdits deuxiemes moyens formant memoire et 
produisent des donnees verifiees qui sont renou- 
velees chaque fois que les donnees de la tran- 
saction sont ecrites dans ladite deuxieme memoi- 
re, lesdites donnees verifiees ayant une valeur 
conforms a un algorithme generateur predetermi- 
ne, lesdites donnees verifiees etant memorisees 
dans lesdits deuxiemes moyens formant memoi- 
re et en outre fournies auxdits moyens formant 
terminal; et lesdits premiers moyens de traite- 
ment (10, 11) desdits moyens formant terminal 
produisent des informations d'historique de la 
transaction qui comprennentau moins la zone de 
memorisation sesignee, les donnees la transac- 
tion et les donnees verifiees, et memorisent les 
informations d'historique de la transaction dans 
lesdits premiers moyens formant memoire, ce 
par quoi une transaction est authentifiable en 
comparant les donnees verifiees memorisees 
dans lesdits premiers moyens formant memoire 
(12, 18) et les donnees verifiees memorisees 
dans lesdits deuxiemes moyens formant memoi- 
re, la non-correspondance des donnees verif iees 
indiquant qu'une transaction illegale a ete effec- 
tuee. 

2. Systeme d'authentification de transaction selon 
la revendication 1, caracterise en ce que lesdits 
premiers moyens formant memoire (12) sont re- 



lids auxdits moyens formant terminal (9, 20) et 
sont prevus exclusivement pour lesdits moyens 
formant terminal. 

5 3. Systeme d'authentification de transaction seion 
la revendication 1 , caracterise en ce que lesdits 
premiers moyens formant memoire (18) sont re- 
lies auxdits moyens formant terminal (9, 20) par 
des moyens de telecommunications (15, 16). 

10 

4. Systeme d'authentification de transaction selon 
I'une quelconque des revendications preceden- 
tes, caracterise en ce que lesdits moyens formant 
terminal (9, 20) sontconstitues parun terminal de 

15 point de vente (20). 

5. Systeme d'authentification de transaction selon 
I'une quelconque des revendications 1 a 4, carac- 
terise en ce que ladite carte a circuit integre (1, 

20 21, 51) comprend en outre un groupe de bornes 
(33, 52) qui est relie auxdits deuxiemes moyens 
de traitement (30, 54), ledit lecteur/enregistreur 
de cartes (70) desdits moyens formant terminal 
(9, 20) I isant ou ecriva nt des donnees serie sur la- 

25 dite carte a circuit integre par I'intermediaire dudit 
groupe de bornes. 

6. Systeme d'authentification de transaction selon 
I'une quelconque des revendications preceden- 

30 tes, caracterise en ce que lesdits deuxiemes 

moyens de traitement (30, 54) de ladite carte a 
circu it integre (1, 21,51) produisent un numerode 
serie comme donnees verifiees. 

35 7. Systeme d'authentification de transaction selon 
I'une quelconque des revendications 1 a 5, carac- 
terise en ce que lesdits deuxiemes moyens de 
traitement (30, 54) de ladite carte a circuit integre 
(1,21,51) produisent une fonction a n arguments 

40 comme donnees verif iees, ou n = 1 , 2, ... . 

8. Systeme d'authentification de transaction selon 
I'une des revendications 1 a 5, caracterise en ce 
que lesdits deuxiemes moyens de traitement (30, 

45 54) de ladite carte a circuit integre (1 , 21 , 51 ) pro- 

duisent comme donnees verifiees une valeur qui 
est unique pour chaque transaction. 

9. Systeme d'authentification de transaction selon 
so I'une des revendications precedentes, caracteri- 
se en ce que lesdits deuxiemes moyens de trai- 
tement (30, 54) de ladite carte a circuit integre (1, 
21, 51) memorisent dans lesdits deuxiemes 
moyens formant memoire (3, 4, 31 , 32, 58, 59, 60) 

55 uniquement des donnees verifiees qui sont pro- 

duces pour la derniere transaction. 

10. Systeme d'authentification de transaction selon 

11 
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saction qui est memorisee dans lesdits deuxieme 
moyens formant memoire chaque fois que les 
donnees de la transaction sont revues desdits 
moyens formant terminal, et des moyens genera- 
5 teurs de donnees verif iees (6) pour produire les 

donnees verif iees sur la base de I' information 
identif iant ('execution de la transaction lue dans 
lesdits deuxieme moyens formant memoire. 

10 17. Systeme d'authentification de transaction selon 
la revendication 16, caracterise en ce que lesdits 
moyens generateurs de donnees verif iees (6) 
fournissent I'information identifiant I'execution 
de la transaction qui est lue dans lesdits deuxie- 
15 mes moyens formant memoire (3, 4, 31, 32, 58, 
59, 60) telle qu'elle est auxdits moyens formant 
terminal (9, 20) comme donnees verif iees. 



Tune des revendications 1 a 9, caracterise en ce 
que lesdits deuxiemes moyens formant memoire 
(3, 4, 31, 32, 58, 59, 60) comprennent une pre- 
miere memoire (31, 59) pour memoriser des pro- 
grammes pour executor des traitements dans 
lesdits deuxiemes moyens de traitement (30, 54) 
et une deuxieme mtmoire (32, 60) pour memori- 
ser des donnees. 

11. Systeme d'authentification de transaction selon 
la revendication 10, caracterise en ce que ladite 
premiere memoire (31 , 59) est constitute par une 
memoire morte et ladite deuxieme memoire (32, 
60) est constitute par une memoire morte pro- 
grammable effacable elect rique men t 

12. Systeme d'authentification selon la revendica- 
tion 10, caracterise en ce que lesdits deuxiemes 
moyens formant memoire (3, 4, 31, 32, 58, 59, 60) 
comprennent en outre une troisieme memoire 20 
(58) pour fournir une zone de travail pour lesdits 
deuxiemes moyens de traitement (30, 54). 

13. Systeme d'authentification de transaction selon 

la revendication 12, caracterise en ce que ladite 25 
troisieme memoire (58) est constitute par une 
memoire vive. 

14. Systeme d'authentification de transaction selon 
Tune quelconque des revendications preceden- 30 
tes, caracterise en ce que lesdits deuxiemes 
moyens de traitement (30, 54) comprennent des 
moyens pour etablir un drapeau de verrouillage 
quand un code authentique qui est recu desdits 
moyens formant terminal (9, 20) et correspond a 35 
un service selectionne differe d'un code 
d'authentification memorise dans lesdits deuxie- 
mes moyens formant memoire (3, 4, 31 , 32, 58, 

59, 60) un nombre predetermine de fois, led it dra- 
peau de verrouillage qui est etabli indiquant que 40 
le service selectionne n'est pas accessible. 

15. Systeme d'authentification de transaction selon 
la revendication 14, caracterise en ce que ledit 
drapeau de verrouillage est etalbi independam- 45 
ment pour chaque service. 

16. Systeme d'authentification de transaction selon 
Tune quelconque des revendications preceden- 

tes, caracterise en ce que lesdits deuxiemes so 
moyens de traitement (30, 54) comprennent des 
moyens d'tcriture (5) pour ecrire les donnees de 
la transaction qui sont recues desdits moyens 
formant terminal (9, 20) dans la zone de memo- 
risation designee desdits deuxiemes moyens for- 55 
mant memoire (3, 4, 31, 32, 58, 59, 60), des 
moyens de renouvellement (7) pour renouveler 
une information identifiant I'execution d'une tran- 



18. Systeme d'authentification de transaction selon 
I'une quelconque des revendications preceden- 
tes, caracterise en ce que lesdits deuxiemes 
moyens formant memoire (3, 4, 31 , 32, 58, 59, 60) 
memorisent une information ^identification de 
carte, lesdits deuxiemes moyens de traitement 
(30, 54) de ladite carte a circuit integre (1 , 21 , 51) 
fournit identification de la carte qui est lue dans 
lesdits deuxiemes moyens formant memoire 
avec les donnees verif iees, et lesdits premiers 
moyens de traitement (10, 11) desdits moyens 
formant terminal (9, 20) produisent les informa- 
tions d'historique de la transaction qui compren- 
nent egatement I'information ^identification de 
la carte. 
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FIG. 3 
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FIG.6B 
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FIG.6C 
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